clara/nix-infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

sops-nix setup

Browse source
This commit is contained in:
Clara Dautermann 2025-04-15 08:43:01 +02:00
parent d51709f0cd
commit 30156bad33
Signed by: clara
GPG key ID: 223391B52FAD4463
4 changed files with 62 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

1
.gitignore vendored
View file

@ -1 +0,0 @@
secrets/

15
.sops.yaml Normal file
View file

@ -0,0 +1,15 @@
keys:
# People
- &clara 58EF8D71114EF548DEE3320DE6F04916B6EEBD83
# Servers
- &wireguard age12d8mxwnt0a7gl4uu0uwdqaxuqdf5j7zm50qy5qrhj0kd4ny7luaqv7rj4e
creation_rules:
- path_regex: secrets\/all\/*
key_groups:
- pgp: [*clara]
- path_regex: secrets\/wireguard\/*
key_groups:
- pgp: [*clara]
age: [*wireguard]

12
configs/services/wireguard.nix
View file

@ -5,6 +5,14 @@ in {
"net.ipv4.ip_forward" = lib.mkDefault true; "net.ipv4.ip_forward" = lib.mkDefault true;
"net.ipv6.conf.all.forwarding" = lib.mkDefault true; "net.ipv6.conf.all.forwarding" = lib.mkDefault true;
}; };
# set up secret key
sops = {
age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
defaultSopsFile = ../../secrets/wireguard/secrets.yaml;
secrets.wg_private_key = { };
};
networking = { networking = {
firewall.allowedUDPPorts = [ wg_port ]; firewall.allowedUDPPorts = [ wg_port ];
firewall.rejectPackets = true; firewall.rejectPackets = true;
@ -25,8 +33,8 @@ in {
address = [ "10.8.1.1/16" ]; address = [ "10.8.1.1/16" ];
listenPort = wg_port; # to match firewall allowedUDPPorts (without this wg uses random port numbers) listenPort = wg_port; # to match firewall allowedUDPPorts (without this wg uses random port numbers)
# Path to the private key file. # Path to the private key file (see sops).
privateKeyFile = "/root/privkey"; privateKeyFile = "/run/secrets/wg_private_key";
peers = [ peers = [
# For a client configuration, one peer entry for the server will suffice. # For a client configuration, one peer entry for the server will suffice.

37
secrets/wireguard/secrets.yaml Normal file
View file

@ -0,0 +1,37 @@
wg_private_key: ENC[AES256_GCM,data:51eBmT70Y0dMcTs/tIZrLpPoXsC7YBcbKLl5UPnRp7iEw+ZSpSnrSrKI/uQ=,iv:ULxRzi1bv74WINeDtcw0LrSuquQfQuZTYz+n2eH1nCk=,tag:79oVQvpnYHihdQZviiClvg==,type:str]
sops:
age:
- recipient: age12d8mxwnt0a7gl4uu0uwdqaxuqdf5j7zm50qy5qrhj0kd4ny7luaqv7rj4e
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNaUM0RHNTck5PMWtWcnh6
R2dpSElSUjhheWZCazBDL2VtcXNLL2VCOW5RCmZIVVNkbi9hWnpMcjFGMldrWjVC
alhIMmZLZWVGam9Ld1ZIdjNvcm4xbGcKLS0tIEtYQ2RDWWtNSlpibmJXZHRQdlVD
ZFhFdHpSbkFSaTc2VmUyeHUwalZCVUUKNMDMcyrV2J2zhX/m6W5pIzp5YoQlPdKY
0QA7RYTQQIBuu0C19+E3VlpU0eMHupsTpqTHMA6RNSwY3wyyV10hrA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-04-15T06:32:59Z"
mac: ENC[AES256_GCM,data:tJpQdvPndAmv9AG81vYlD7Bgf+/np2uOBZ4AjgBJc3D9l80Rb+BVS5DPjFpVhOiIxe5vrKDKfiYAe2Ke6x5F9bE6vIC7CA5pN2oAQ/h5K4wwyCrjCSPMqkjv3KB+a2EFKeX2JRHeGfz+RMMYjnk8lhG9DdxZT9q1T9TyKdFchbc=,iv:bY/hNb3QvCKC0bmtCWZeb4cNgbXNCAWcFhAuKQI4WPM=,tag:3MJGVP4aLuFrZ46rwOS0EA==,type:str]
pgp:
- created_at: "2025-04-15T06:28:27Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAzwtBoBqH5ZOAQ//cOhooxvYdj++jbDDcv6w70gh3K62r5AcBf5iEXgtbHcZ
Ag0qQpGxb6dySyys/++//fRizVTokQUd+zFHMX8ppMri7JHlw0ioX7GvUAwlW2jE
6nibHvbJFYEJ2xIunGHJwJ98ryPp65qdP0wCyMsdzCc+UOzgKeeyi3NccYbQXYCK
0aQ0VnDHh0OF1B9vLbBCSaCfZstTCG8ADnK6FzANipoMoU8KytFdUqjj3zZxNwfx
9lgZocFoNm7Kx4Uv5r0DXKrJe56q0UJPFMkDnPoRp8YRU9h7tt2yUvBL9lJyIoFy
D/eKIPokM4CjeqByecDfsRTlmmFLRPPoLXHWklcJFkmapfW/c3jmsUhZwq8WAaSa
LxtFkesveyXhn/xuL6uWWTtmGdmwk4gJ0QIDDlDhGrrkuHSgRqb+2wI90pIggmHS
tZvsSfT16FOWuWgO5Fx+PQqNLT2vvMnsVxFkWeNdvpQ1sBd3BPZiwE48pVaTNQwH
2NNYY4gZPxKFPsj1CesPVa8x2jskguYMZ8Mo4O3GSn77jKbaj+GtrBSy+TE2dSJ7
k7LEuqtnmGBE1JrsEeXXWmVAnY3mWcaTKmljFOSBOT9/jJPUATTbuB0CCIdlsxlB
O3egc9x5VRgYshBnznw/IipLFUGBD0idUFwch+ijPyLk3efhFDXuvId22IPfmjDS
XgH83/dkii+PTK0tNdtaeIx8zEtamRlS8UYSE8f/Oko78X2O7Vy/wRpdAgs9RslB
VP1Ti9J3yFvo6mhFZg4Mm//WFa8dsMbphjoKKAqrHP0Qa4Z2O5GJvUMkKC0Gy1s=
=pswU
-----END PGP MESSAGE-----
fp: 58EF8D71114EF548DEE3320DE6F04916B6EEBD83
unencrypted_suffix: _unencrypted
version: 3.10.1